[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Haskell-cafe] HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1



Hi,

Am Montag, den 03.10.2011, 10:01 -0300 schrieb Felipe Almeida Lessa:
> Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
> attacks [1].  We have just released a fix and it's already on Hackage
> [2].  We advise all users of clientsession (and, consequently, Yesod)
> to upgrade as soon as possible to a version >= 0.7.3.1.
> 
> With a timing attack a malicious user may be able to construct a valid
> MAC for his message.  However, the attacker is not able to recover the
> MAC key or the encryption key.  So you don't need to change your keys,
> just upgrade ASAP.
> 
> Cheers, =)
> 
> [1] https://github.com/snoyberg/clientsession/pull/4
> [2] http://hackage.haskell.org/package/clientsession-0.7.3.1

I guess this means we should update as well. For that, we’d need at
least skein to be packaged for Debian.

Any takers? I won’t have time before tomorrow evening the earliest.

(I have already commited the version bump of clientsession to darcs, but
nothing else, in particular not the dependency bumps.)

Greetings,
Joachim


-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: